The UK’s National Health Service (NHS) has launched an investigation into claims that a security vulnerability within an application programming interface (API) at private healthcare provider Medefer potentially exposed sensitive patient data.
The flaw was discovered in November 2024. The whistleblower software engineer, who unearthed the vulnerability and, according to BBC News, wishes to remain anonymous, suggested that the lapse in data protection could have persisted for as long as six years. However, Medefer, which processes around 1,500 NHS patient referrals each month, contested this duration. It further claimed that no patient data was compromised and the flaw was fixed a few days after its discovery. “We are looking into the concerns raised about Medefer and will take further action if appropriate,” an NHS spokesperson told BBC News.
NHS data exposed due to API security flaw
Medefer’s digital platform facilitates the booking of virtual appointments for NHS patients through the e-referral system (e-RS) and makes necessary patient data available to clinicians to help them provide online consultations.
However, the API security flaw made the private details of patients vulnerable. The software engineer claimed that the vulnerability specifically affected Medefer’s internal patient record system, which stores NHS data, by allowing access without proper authentication through the API.
While there has been no evidence of data being compromised and the vulnerability has since been rectified, the flaw did leave data susceptible to a potential targeted attack.
In the wake of the incident, Medefer engaged an external security firm in late February with an aim to conduct a comprehensive review of its data management systems. The firm said that it has received confirmation from the external security agency that no data breach occurred, and all data systems are currently secure.
The company has also reported the matter to the Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC). The ICO has determined that no further action is necessary due to the absence of any data breach evidence.
“There is no evidence of any patient data breach from our systems,” Medefer founder and CEO Bahman Nedjat-Shokouhi said. “The external security agency has asserted that the allegation that this flaw could have provided access to large amounts of patients’ data is categorically false.” Nedjat-Shokouhi further claimed that the flaw was fixed in 48 hours.
Read more: Two London trusts impacted by debilitating NHS cyberattack
